Fake Electrum version 4.0 and hardware wallets

[o_e_l_e_o]

I am just paranoid because I previously made a connection to a bad server, and there is a lot of btc in this wallet. Just need to be extra sure. I haven't used Electrum a lot and now I understand a lot better how it works.

If you want extra peace of mind, then the thing to do is to set up an airgapped Electrum wallet.

Essentially, you take an old computer or laptop and ensure that it will never connect to the internet again - remove the WiFi card, the ethernet adapter, and so on. Create an Electrum wallet on it and back your seed phrase in the usual way. Then export the master public key (xpub) from that airgapped wallet, transfer it on a flash drive or scan it as a QR code to your main internet-connected computer, and use it to set up what is called a "watch only" wallet in Electrum.

This watch only wallet on your main computer will only be able to view your addresses and coins, but will not be able to spend anything, even if you download malware, a fake wallet, or your computer is physically accessed. To make a transaction, you use the watch only wallet to generate the transaction, move it via flash drive or QR code to your airgapped computer to be signed, and then move it back again to your main computer to be broadcast.

[1715378538]

1715378538

[1715378538]

1715378538

[1715378538]

1715378538

[bob123]

I am just paranoid because I previously made a connection to a bad server, and there is a lot of btc in this wallet.

Connecting to a bad server doesn't harm you. Installing malware without verify the signature does.

If you have a lot of BTC, you actually should either get a hardware wallet, or use a cold storage setup (as described by o_e_l_e_o).
I'd not recommend to use a desktop wallet to store an amount of BTC you definitely do not want to lose.

If you are transacting very often, get a hardware wallet (~70$). If not, a cold storage setup would be even better.

[DaveF]

Or, you can also setup multisig.

https://en.bitcoin.it/wiki/Multisignature

This way even if you download malware you would have to do it in more then 1 location.
If you are even more paranoid you can use 3 different types of devices. PC, iPhone, Android phone and then setup 3 of 3 required to sign.

You would have to download 3 pieces of malware to actually loose your BTC.

-Dave

[pooya87]

Or, you can also setup multisig.

https://en.bitcoin.it/wiki/Multisignature

This way even if you download malware you would have to do it in more then 1 location.
If you are even more paranoid you can use 3 different types of devices. PC, iPhone, Android phone and then setup 3 of 3 required to sign.

You would have to download 3 pieces of malware to actually loose your BTC.

-Dave

usually people who are so reckless about their security (that is ignoring the most important step of all, verifying the signature of the wallet installer they download) they are reckless overall. using a multisig won't help them much either because they may as well update those clients recklessly too or even ignore looking at the transaction they are signing and still send the coins to the scammer!

[DaveF]

...
-Dave

usually people who are so reckless about their security (that is ignoring the most important step of all, verifying the signature of the wallet installer they download) they are reckless overall. using a multisig won't help them much either because they may as well update those clients recklessly too or even ignore looking at the transaction they are signing and still send the coins to the scammer!

True.

Anyway back to the thread I installed the malware on a another laptop that I am wiping now and it did not see an old trzeor.
The authentic 3.1.1 did, so unless they went even older then that when creating the malware, they either cut the hardware wallet support out or just broke it by accident.

This is just with the 1 version of the bad software that I had, I do not know if there are more versions out there that are different.

-Dave

[bob123]

The authentic 3.1.1 did, so unless they went even older then that when creating the malware, they either cut the hardware wallet support out or just broke it by accident.

My guess would be that they simply took that part out of the code.
The malicious version creates and broadcasts a transaction as soon as possible. It wouldn't work with a hardware wallet, so i guess they simply ignored that and removed that part.

Just a guess tho.

[DaveF]

The authentic 3.1.1 did, so unless they went even older then that when creating the malware, they either cut the hardware wallet support out or just broke it by accident.

My guess would be that they simply took that part out of the code.
The malicious version creates and broadcasts a transaction as soon as possible. It wouldn't work with a hardware wallet, so i guess they simply ignored that and removed that part.

Just a guess tho.

Agreed, it was just more of a test / answer to the OPs question.
Also, as I noted mine was a sample size of one. No idea if there are more versions of the malware out there and what other capabilities they have.

And there is also the thread that witcher_sense started here: https://bitcointalk.org/index.php?topic=5273132

Stay safe.

-Dave

[philinje]

I am just paranoid because I previously made a connection to a bad server, and there is a lot of btc in this wallet. Just need to be extra sure. I haven't used Electrum a lot and now I understand a lot better how it works.

If you want extra peace of mind, then the thing to do is to set up an airgapped Electrum wallet.

Essentially, you take an old computer or laptop and ensure that it will never connect to the internet again - remove the WiFi card, the ethernet adapter, and so on. Create an Electrum wallet on it and back your seed phrase in the usual way. Then export the master public key (xpub) from that airgapped wallet, transfer it on a flash drive or scan it as a QR code to your main internet-connected computer, and use it to set up what is called a "watch only" wallet in Electrum.

This watch only wallet on your main computer will only be able to view your addresses and coins, but will not be able to spend anything, even if you download malware, a fake wallet, or your computer is physically accessed. To make a transaction, you use the watch only wallet to generate the transaction, move it via flash drive or QR code to your airgapped computer to be signed, and then move it back again to your main computer to be broadcast.

Thanks for this guidance. Quick question: how do I move the transaction via flash drive or QR code to the airgapped computer? Just not so obvious in the product. If there is a tutorial somewhere, happy to look at that.

[bob123]

Thanks for this guidance. Quick question: how do I move the transaction via flash drive or QR code to the airgapped computer?

You need to export/save the transaction instead of broadcasting it.
Then simply move that transaction (saved to file) via USB or scan it with a camera (QR).
On the other device, load the transaction via electrum, then sign/broadcast it.

[o_e_l_e_o]

Quick question: how do I move the transaction via flash drive or QR code to the airgapped computer? Just not so obvious in the product. If there is a tutorial somewhere, happy to look at that.

On the watch only wallet, you input your destination address and amount normally, and hit the "pay" button. Then choose your fee and hit "send" (or "finalize" if you are using advanced preview). Once you've done that, on the new window which opens down the bottom left you will see the option to "Export" the transaction you have created. From that drop down menu, you can choose to either export it to a file to put on a USB stick and transfer to your cold wallet, or to display it as a QR code.

On the cold wallet, go to Tools -> Load transaction, and choose either from file (which will open a file explorer) or from QR code (which will activate any attached camera). You can then sign that transaction, and then reverse the steps to move the signed transaction back to your watch only wallet. Once you've loaded the signed transaction on your watch only wallet, you will be able to hit the "Broadcast" button to send it.

There's a tutorial for this on the Electrum documentation, but the screenshots are quite out of date: https://electrum.readthedocs.io/en/latest/coldstorage.html

[philinje]

Quick question: how do I move the transaction via flash drive or QR code to the airgapped computer? Just not so obvious in the product. If there is a tutorial somewhere, happy to look at that.

On the watch only wallet, you input your destination address and amount normally, and hit the "pay" button. Then choose your fee and hit "send" (or "finalize" if you are using advanced preview). Once you've done that, on the new window which opens down the bottom left you will see the option to "Export" the transaction you have created. From that drop down menu, you can choose to either export it to a file to put on a USB stick and transfer to your cold wallet, or to display it as a QR code.

On the cold wallet, go to Tools -> Load transaction, and choose either from file (which will open a file explorer) or from QR code (which will activate any attached camera). You can then sign that transaction, and then reverse the steps to move the signed transaction back to your watch only wallet. Once you've loaded the signed transaction on your watch only wallet, you will be able to hit the "Broadcast" button to send it.

There's a tutorial for this on the Electrum documentation, but the screenshots are quite out of date: https://electrum.readthedocs.io/en/latest/coldstorage.html

Thanks Bob123 and oeleo. Really helpful, and totally makes sense. All the cool features in Electrum are starting to become clear.

Hate to backtrack a bit, but I did a small transfer, not using the airgapped wallet technique, and it seems the transfer is "pending" and has stayed that way for nearly 12 hours. It definitely did not make it to the blockchain. I used the known safe server recommended earlier, which worked previously with a different wallet. Just wondering if there are some known reasons for the pending state, and possible workarounds?

[o_e_l_e_o]

Is this showing up as "Pending" in the "History" tab on Electrum? If so, most likely it is just that the fee is too low.

If you go to the transaction, right click on it, and click on "View Transaction". Copy the "Transaction ID" from the top box and paste it in to this website: https://blockchair.com/

Does the transaction show up? If it does, what is the fee per vbyte?

[nc50lc]

and it seems the transfer is "pending" and has stayed that way for nearly 12 hours. It definitely did not make it to the blockchain.

You haven't successfully created a transaction.
The "pending" in the send tab means that you've just clicked "save" or cancelled the window that pop-up after you click "pay".
That invoice is incomplete/outdated, I'd suggest you to delete it (right-click->delete).

For now pay no attention to the "send" tab's invoices, those aren't related to the blockchain, those are client-based entries.
Refer to the "history" tab instead and check if there're other entries that might be another (un)successful attempt, if there none, send it again.